To address the ongoing threat of cyber attacks, the European Union (EU) has put in place the Network and Information Systems Directive (NIS2) – a comprehensive legal framework intended to bolster cyber security by imposing obligations on organisations to manage cyber risks, report incidents, and cooperate with authorities to smoothen incident response.
The directive applies to certain critical sectors such as energy, transportation, and health and requires companies to take measures to protect their systems from threats like malware and ransomware, as well as report certain types of incidents to relevant authorities.
The twin directives of NIS2 and the Critical Entities Resilience (CER), which replaces the European Critical Infrastructure Directive of 2008, came into force in January 2023, with member states given until 17 October 2024 to comply. These two measures address varying aspects of cyber security, with NIS2 focusing on enhancing the cyber security of digital service providers and essential service providers, while CER focuses on ensuring the resilience of critical entities in the EU.
The UK, meanwhile, has also updated its own NIS regulations. These have…
